log2timeline is designed as a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

log2timeline is designed as a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

Line 6:

Line 13:

==Description==

==Description==

−

log2timeline takes a log file (or a directory) and parses it to produce a body file that can be imported into other tools for timeline analysis. The tool has both a modular based approach to the input file as well as the output file. The current version supports exporting the timeline in a body format readable by TSK's (The SleuthKit) mactime. log2timeline is build as a series of scripts, this one being the front-end, which uses other scripts to actually parse the log files (called format files). The tool is build to be easily extended for anyone that wants to create a new format or an output file.

+

log2timeline takes a log file (or a directory) and parses it to produce a body file that can be imported into other tools for timeline analysis. The tool has both a modular based approach to the input file as well as the output file. The default behavior of the current version is to export the timeline in a body format readable by TSK's (The SleuthKit) [http://wiki.sleuthkit.org/index.php?title=Body_file mactime] (although this can be easily changed). log2timeline is build as a series of scripts, this one being the front-end, which uses other scripts to actually parse the log files (called modules). The tool is build to be easily extended for anyone that wants to create a new module.

−

As noted above the current supported output is the body format used by mactime. For further information about the ouptput format, please read [http://wiki.sleuthkit.org/index.php?title=Body_file Mactime Body Format]. Other output formats can be easily created by the use of an output file. The output file can be set to output in a body format that needs to be imported into another tool for human readable format, or it can be implemented to print the timeline directly in a human readable format.

+

The tool contains (current version of 0.51 nightly build (20102608)) three front-ends:

+

* '''log2timeline''' - The main front-end. A tool capable of parsing a single log file/directory pointed to the tool using a selected input module.

+

* '''timescanner''' - A recursive front-end capable of parsing a directory passed to the tool and recursively go through each and every file/dir and try to parse it with every or selected input modules (to provide an automatic method of creating a super timeline).

+

* '''glog2timeline''' - A simple GUI front-end, with similar capabilities as log2timeline (the main front-end)

−

The tool is build using multiple so called format files, which are stored in the format folder. Each of those format files provide a single format that can be parsed, whether that is a log file or a directory containing some files that need to be parsed.

+

==Currently Supported Input Modules==

−

The purpose of the tool is to provide a single tool to parse various artifacts that are either produced by the suspsect operating system or other systems that might have some logs retaining to the investigation.

+

The currently supported input modules (as of version 0.51 nightly build (20102608)) are:

* '''cftl''' - Output timeline in a XML format that can be read by CFTL

+

* '''csv''' - Output timeline using CSV (Comma Separated Value) file

+

* '''mactime''' - Output timeline using mactime format

+

* '''mactime_l''' - Output timeline using legacy version of the mactime format (version 1.x and 2.x)

+

* '''simile''' - Output timeline in a XML format that can be read by a SIMILE widget

+

* '''sqlite''' - Output timeline into a SQLite database

+

* '''tab''' - Output timeline using TDV (Tab Delimited Value) file

+

* '''tln''' - Output timeline using H. Carvey's TLN format

+

* '''tlnx''' - Output timeline using H. Carvey's TLN format in XML

+

+

== Plaso - The next generation ==

+

+

Version 0.x Log2timeline has been extremely useful but it was written in Perl and has performance limitations. A major effort to re-write it in Python, named [[plaso]] is underway and alpha releases have been released.

+

+

For version 1.x the plaso engine has been created and front-ends have been written. The CLI frontends include log2timeline.py and psort.py. A gui front-end is provided by 4n6time.

Revision as of 05:37, 10 May 2013

log2timeline is designed as a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

The tool is written in Perl for Linux but has been tested using Mac OS X (10.5.7 and 10.5.8). Parts of it should work natively in Windows as well (with ActiveState Perl installed).

Contents

Description

log2timeline takes a log file (or a directory) and parses it to produce a body file that can be imported into other tools for timeline analysis. The tool has both a modular based approach to the input file as well as the output file. The default behavior of the current version is to export the timeline in a body format readable by TSK's (The SleuthKit) mactime (although this can be easily changed). log2timeline is build as a series of scripts, this one being the front-end, which uses other scripts to actually parse the log files (called modules). The tool is build to be easily extended for anyone that wants to create a new module.

The tool contains (current version of 0.51 nightly build (20102608)) three front-ends:

log2timeline - The main front-end. A tool capable of parsing a single log file/directory pointed to the tool using a selected input module.

timescanner - A recursive front-end capable of parsing a directory passed to the tool and recursively go through each and every file/dir and try to parse it with every or selected input modules (to provide an automatic method of creating a super timeline).

glog2timeline - A simple GUI front-end, with similar capabilities as log2timeline (the main front-end)

Currently Supported Input Modules

The currently supported input modules (as of version 0.51 nightly build (20102608)) are:

mactime_l - Output timeline using legacy version of the mactime format (version 1.x and 2.x)

simile - Output timeline in a XML format that can be read by a SIMILE widget

sqlite - Output timeline into a SQLite database

tab - Output timeline using TDV (Tab Delimited Value) file

tln - Output timeline using H. Carvey's TLN format

tlnx - Output timeline using H. Carvey's TLN format in XML

Plaso - The next generation

Version 0.x Log2timeline has been extremely useful but it was written in Perl and has performance limitations. A major effort to re-write it in Python, named plaso is underway and alpha releases have been released.

For version 1.x the plaso engine has been created and front-ends have been written. The CLI frontends include log2timeline.py and psort.py. A gui front-end is provided by 4n6time.